MacOS Lockdown Mode: A Forensic Deep Dive - Bhargav Rathod
Nullcon Goa 2025 · Main Stage
Apple's **Lockdown Mode**, introduced in 2022 with iOS 16 and macOS Ventura, represents a significant leap in consumer-grade security, designed to protect high-risk individuals from sophisticated mercenary spyware attacks. This optional, extreme security feature significantly restricts device functionality, aiming to minimize the attack surface against state-sponsored threats like the notorious **Pegasus** spyware developed by **NSO Group**. In his Nullcon talk, Bhargav Rathod, a Security Analyst at Salesforce and an expert in digital forensics and incident response (**DFIR**), provides an exhaustive forensic deep dive into macOS Lockdown Mode, exploring its activation, observable effects, and the critical artifacts it leaves behind.
AI review
Competent, methodical forensic survey of macOS Lockdown Mode artifacts — a topic that genuinely needed documentation. The research fills a real gap, but it stays in enumeration mode: here are the plists, here are the log entries, here are the UI tells. There's no novel attack surface uncovered, no bypass demonstrated, and no tool released, which keeps this firmly in 'solid reference material' territory rather than conference-defining work.